[原文]Buffer overflow in client/server Doom (csDoom) 0.7 and earlier allows remote attackers to (1) cause a denial of service via a long nickname or teamname to the SV_SetupUserInfo function or (2) execute arbitrary code via a long string sent when joining a match or a long chat message to the SV_BroadcastPrintf function.

-
受影响的程序版本

X-Doom X-Doom VI 1.6.7
csDoom csDoom 2005 0.7

-
漏洞讨论

csDoom 2005 is prone to multiple buffer-overflow and format-string vulnerabilities.

The buffer-overflow issues are due to the application's failure to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer. The format-string vulnerabilities are due to the application's failure to properly sanitize user-supplied input before using it in a formatted-printing function.

These issues may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the targeted application. Both clients and servers are affected by these issues.

-
漏洞利用

A proof-of-concept exploit application by Luigi Auriemma is available.